Verified Commit efd1ff60 authored by Giancarlo Razzolini's avatar Giancarlo Razzolini
Browse files

roles/archwiki: Add nginx and php-fpm templates.

Add a nginx template based on the configuration extracted from luna.
Add a php-fpm template based on the one from luna, but changing some
variables, disallow /bin/bash and apply the same disable_functions
as flyspray. This might need to be changed.
parent 76e5fd2b
upstream archwiki {
server unix://{{ archwiki_socket }};
}
server {
listen 80;
listen [::]:80;
server_name {{ archwiki_domain }};
access_log /var/log/nginx/{{ archwiki_domain }}/access.log;
error_log /var/log/nginx/{{ archwiki_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
rewrite ^(.*) https://$server_name$1 permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ archwiki_domain }};
access_log /var/log/nginx/{{ archwiki_domain }}/access.log;
error_log /var/log/nginx/{{ archwiki_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ archwiki_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ archwiki_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ archwiki_domain }}/chain.pem;
root {{ archwiki_dir }}/public;
index index.php;
location ^~ /. {
log_not_found off;
deny all;
}
# special case due to our '/index.php/Main_Page' type URLs
location ~ ^/(?:index|redirect)\.php(?:/.*)$ {
fastcgi_pass archwiki;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
include fastcgi_params;
}
# normal PHP FastCGI handler
location ~ ^/[^/]+\.php$ {
fastcgi_pass archwiki;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
# whitelist known OK directories
location ~ ^/(?:skins|resources|images|extensions/ArchLinux/modules)/ {
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# block all other directories
location ~ ^/[^/]+/ {
log_not_found off;
deny all;
}
}
[global]
error_log = syslog
daemonize = no
[{{ archwiki_user }}]
listen = {{ archwiki_socket }}
listen.owner = {{ archwiki_user }}
listen.group = http
listen.mode = 0660
pm = dynamic
pm.max_children = 100
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 30
pm.max_requests = 2000
php_admin_value[open_basedir] = {{ archwiki_dir }}:/usr/bin/diff3:/usr/bin/diff
php_admin_value[session.save_path] = {{ archwiki_dir }}/sessions
php_admin_value[upload_tmp_dir] = {{ archwiki_dir }}/uploads
env[TMPDIR] = {{ archwiki_dir }}/uploads
php_admin_value[opcache.memory_consumption] = 128
php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 4000
php_admin_value[opcache.revalidate_freq] = 60
php_admin_value[opcache.fast_shutdown] = 1
php_admin_value[disable_functions] = passthru, exec, proc_open, shell_exec, system, popen
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment